Someone Else

I can has Leopard upgrade?

I'm sure it'll come as no shock to regular visitors here to learn that I've upgraded to Leopard today. Will it last as long as my Vista install? Place your bets now!

The Leopard install took about 30 or 40 mins with the "archive" install option, which tells OS X to archive away your old OS install and app folders, create a clean install and then import your applications, documents, and user settings into the new OS. Based on my experiences with the Panther -> Tiger upgrades at home and at work, this is often the best way to upgrade OS X. It certainly was a smooth process, asking me very little and simply getting on with things.

Leopard itself... A little early to give many thoughts on it. If you've got any interest in Apple's OS at all you'll already know that it's a refinement of their previous OS release rather than a revolution, so think in terms of lots of small improvements and little touches and you'll get the idea. It seems to be at least as fast and responsive on the same hardware as my previous Tiger install, and while I'm having to upgrade various apps in order to get things working properly, this really doesn't appear to be a bad upgrade at all, so far.

Some of the stylings might take a while to get used to. A lot of people are not at all keen on the new "faux-3D" dock style (see screenshot above), and it certainly does look a little odd. I plan to give it a chance before trying to fiddle with it myself. 

Finder (Does the job of Explorer, for Windows people out there) has had a style update, and the sidebar and brushed-metal finish is obviously based on the iTunes look and feel. I quite like it, but then I quite like iTunes. The transparent menu bar at the top of the screen does have me wondering; I found the transparent "Aero" interface in Vista made reading menu options harder, and despite seeing a few people say the same about Leopard this has not been my experience, in fact I made a point of trying it just now with a page of text open underneath the menu area and had no trouble at all reading menu items. Still, it's a bit of a "lipstick on a chicken" option, it doesn't seem to add much. 

What I like:

Well we'll start with the upgrade process. As ever, before upgrading any OS on any platform from any manufacturer, you should take a full backup first. Good advice from John Gruber right here.

My install took a while, mostly because I chose the archive and install option, where the installer archives your old OS install and app folders (maybe there's a clue in the name of the function here?), and then effectively performs a clean install and then imports your old applications, settings and user folder into the new install. Despite what some people say, this is almost certainly overkill for the majority of users, unless you are a computer geek like me, who likes to poke around under the hood and change the settings on everything you can, the normal upgrade process should be just fine. I had to upgrade a few apps after my install, I had to re-install my printer (like searching for it in bonjour, selecting the only printer on my home network from the list of one printers and waiting 30 seconds was so tough), and I freely admit I've not been playing with the new install long enough to find all the real nasties, but all in all things seem to be just fine so far.

The Product Activation Process. Or rather, the lack of one. Apple actually don't treat me like a criminal out on probation to my face by way of saying thanks for buying their software. Fancy that!

Much to my surprise, I'm finding myself turning on the Coverflow option in Finder (screenshot above). We'll see if it remains on, but I am quite enjoying 'flicking' through my documents with it, and overall this may turn out to be a much more useful feature than I originally thought. When combined with Time Machine (below) it really starts to make sense; what better way to quickly look through old versions of a file or directory to recover old data?

Time Machine looks pretty good too. Let's be clear here, it's very similar in concept to Volume Shadow Copies on Windows. The devil is in the details however, and where Volume Shadow Copies is difficult for "normal" users to understand, time machine is very simple indeed.

This is a key point because it doesn't matter how good your technology is, if your target users can't figure out how to use it, then it might as well not exist at all. As a techie computer person I find VSS quite easy to use, to be honest, but I shudder to think of talking some people I know through using VSS over the phone. As for Time Machine, if you can use Mac OS X's Finder with any degree of competence then you'll be able to use Time Machine quite happily.

I quite like Spaces too. On Tiger I was a big fan of VirtueDesktops for a while (it plays especially well with Virtual Machines) but when Leopard and Spaces became known the author of Virtue Desktop quite understandably decided to stop developing the product. I haven't tried Spaces out with a VM just yet, but it seems to be fast and easy to use, with the sort of smooth integration you've come to expect of an Apple OS component when compared to a 3rd party plugin; not that I'm hating on Virtue Desktops, it's just at a disadvantage compared to Spaces. In reality this is the sort of utility that's been available for most other Unix type GUIs for ages, so while it's a welcome addition, it's also playing catch-up.

Mail has a few improvements that I think are noteworthy. I'm not going to burble on about stationery, I'm sure most of you can guess my opinon of HTML email is generally unrepeatable. Rather, the addition of notes and to-do options seems to be quite interesting; these are not just random bits of text that are kept in mail.app for want of a better place to put them, but rather can be stored on your email account if you're using something like IMAP. This opens up the possibility of being able to share these between computers in different places, which might just be the start of something interesting. 

What I don't like:

So far, I'm not a big fan of Stacks. The idea is nice and well enough implemented but it doesn't go far enough; I have to keep using Overflow to 'stack' applications in the application part of the dock because either stacks won't do it for me or I can't figure it out, even after reading the help. Either way, a bit of a let-down. Not that I mind using Overflow, it's very nice software that I'm awfully glad I purchased, but leaving that sort of functionality out of stacks seems rather odd to me. I know you can create a folder full of aliases and dump it into the documents part of the dock to work with Stacks, in fact I used to do this with spring-loaded folders before I found Overflow, but it just isn't the same.

Remote Desktop seems a little buggy to me at the moment. Perhaps it's just a settings tweak when you consider I'm going from WinVNC on an XP machine, but either way this works less well in Leopard right now than it did in Tiger yesterday. Yes this is nitpicking, which should actually tell you how good the new OS actually is, let's face it, I'm not shy of ranting and complaining when I think I have reason to!

Overall

Evolution rather than revolution. That's Leopard. It was also Tiger when that was first released too, so this is nothing new from Apple. By doing "smaller, more regular releasese" Apple have deftly avoided a lot of the pain that Microsoft courted with the release of Vista and its massive shift in how it reacted to users when compared to their previous OS releases. There are arguably very few obvious "must halt everything and go out and buy this right now" features in this OS release, but the sum total of all the features combined adds up to a very smooth, powerful and compelling upgrade for any OS X, Windows XP or Windows Vista user.

There's a lot more going on "under the hood" here as always with any OS release, major improvements to the OS kernel, security and future proofing (improved 64-bit support) are all here; the UI differences and fancy features are the tip of an iceberg that stretches all the way down into the core of the system and I expect to see new applications and features build on top of all the improvements in Leopard as time goes by.

It's still a good time to own a Mac. Be nice to a Vista owner today and don't show him your new operating system!

PCWorld.com for Business? Forget it.

Ok, the Captain has to comment on this article, discovered through daring fireball. No  wait, that link is dead because the author of the article decided to issue some kind of correction.

For months now, you've barely been able to pop open a web browser without spotting a few iPhone stories raving about the fact that it only does what it says it does. That could spell trouble for journalists who are unable to read and IT Managers who believe the opinions of apparently brain-dead journalists without checking facts (perhaps these kinds of IT Managers should get a job writing for pcworld.com?).

From the article: "Most consumers won't find much fault with their iPhone's e-mail support. It handles IMAP and POP3, as well as a variety of webmail services such as GMail and Yahoo Mail. But if, like the preponderance of large enterprises, you run Microsoft Exchange, forget it."

But I don't want to forget it. I know the owner of this site used IMAP to talk to his exchange email account at work for years from his phone, while waiting for Microsoft's email server division and mobile device division to decide how to talk to one another.

"Sure, you could work around this problem to get e-mail to your users' phones by configuring their accounts for POP3 access as well,"

Ok. And now the captain is all confused. Wouldn't you use IMAP, as that is supported very well by both players in this play the captain likes to call "reading your mail", and provides a reasonably close experience to what Microsoft are trying to do with Exchange and Windows Mobile? 

"but that just gives them the latitude to delete messages willy nilly, which is bound to mean more support calls for you."

Wow. Just wow. Are you saying that deleting messages at all is Just Plain Wrong? Or that deleting "Willy Nilly" is something you can only do from an iPhone and that it's also wrong somehow. Or did you mean to type "I'm a complete and total idiot. The only way I could be more of a tool is if I had a price tag stuck between my eyes from your local hardware store."

But typing "Willy Nilly" is kind of fun. You've got something going there. The crap journalist scattered blatently wrong rubbish throughout his article, all willy-nilly. Say that was fun!

"The iPhone also cuts users off from useful Exchange features such as group scheduling."

Right. I'll let you have that one as I have no idea on that issue and I appear to be wiping the floor with you anyway.

"At the same time, the iPhone lacks support for Microsoft Office file attachments, which means that, unlike the Blackberrys, Moto Qs, and Blackjacks you may have now, it can't open a Word document or Excel spreadsheet at all."

Apple would disagree. They seem to think their phone can open PDF, Word and Excel docs just fine. Don't know about PPT though. But are you saying their list here is wrong?

"In addition to these major shortcomings, the iPhone currently offers no VPN support, so you can forget about giving your users secure access to internal network resources from the road."

Seems that Apple, yet again, disagree. Maybe they don't offer support for whatever esoteric VPN client you prefer but that's totally different from "no VPN support".

"But the worst problem with the iPhone is likely to be its reliance on Apple's iTunes, which it uses for updating everything from its calendar to its system software. At this point, I've yet to meet a single IT manager who would be willing to add iTunes to his or her list of supported apps."

Hi. I'm Captain Obvious and I'd do that no problem. The owner of this site, Rob, said to say "Hi" too. Apparently iTunes is a supported app across his entire network (couple of thousand users apparently) should anyone show a need to have it.

iTunes and Quicktime are perhaps not the best-behaved networkable apps on Windows machines but they're a very long way from being the worst.

And while the iCal calendar format may be gaining ground in the consumer space, it still lacks compatibility with many business scheduling systems, which means many business users won't be able to get their calendars onto their handsets.

Another point for you, I guess. Though these people could use Outlook Web Access to get at their calendar. And group functions now I think about it. Strikes me that if someone real important insisted, you could put something together based around tools like this though.

So the next time your CEO comes bounding into your office demanding an iPhone to complement his slick self-image, take heed. Or maybe just show him this article.

Right. Because I need my boss to think I take advice on his IT strategy from no-talent asshats who can't spend 20 seconds doing the most basic checking of facts before running their mouth off. Why don't I just save us all some time by quitting right now?

Fashionable and advanced though it may be for consumers, the iPhone simply isn't ready to do business.

Depends on what your business is. This site published a list of "issues" we think we spotted with the iPhone some time ago, and we still have our doubts. But those issues will not affect every business out there. And while some people will probably disagree with our list here, at least we didn't make it up out of whole cloth.

There's a serious point in here somewhere

But I'm too busy laughing to stop and point it out

.

Help me Roberto, my web server just got hacked!

Yet another in the "I get asked this a lot and so finally I decided to write an article" series.

This question keeps being asked repeatedly by the victims of hackers breaking into their web server. The answers very rarely change, but people keep asking the question. I'm not sure why. Perhaps people just don't like the answers they've seen when searching for help, or they can't find someone they trust to give them advice. Or perhaps people read an answer to this question and focus too much on the 5% of why their case is special and different from the answers they can find online and miss the 95% of the question and answer where their case is near enough the same as the one they read online.

That brings me to my first important nugget of information. I really do appreciate that you are a special unique snowflake. I appreciate that your website is too, as it's a reflection of you and your business or at the very least, your hard work on behalf of an employer. But to someone on the outside looking in, whether a computer security person looking at the problem to try and help you or even the attacker himself, it is very likely that your problem will be at least 95% identical to every other case they've ever looked at.

Don't take the attack personally, and don't take the recommendations that follow here or that you get from other people personally. If you are reading this after just becoming the victim of a website hack then I really am sorry, and I really hope you can find something helpful here, but this is not the time to let your ego get in the way of what you need to do.

You have just found out that your server(s) got hacked. Now what?

Do not panic. Absolutely do not act in haste, and absolutely do not try and pretend things never happened and not act at all.

If you've read my previous post about risk management, or any of the much better articles about risk management out on the web, you'll understand that the disaster has already happened. This is not the time for denial; it is the time to accept what has happened, to be realistic about it, and to take steps to manage the consequences of the impact.

Some of these steps are going to hurt, and (unless your website holds a copy of my details) I really don't care if you ignore all or some of these steps but doing so will make things better in the end. The medicine might taste awful but sometimes you have to overlook that if you really want the cure to work.

Stop the problem from becoming worse than it already is:

1. The first thing you should do is disconnect the affected systems from the Internet. Whatever other problems you have, leaving the system connected to the web will only allow the attack to continue. I mean this quite literally; get someone to physically visit the server and unplug network cables if that is what it takes, but disconnect the victim from its muggers before you try to do anything else.
2. Change all your passwords for all accounts on all computers that are on the same network as the compromised systems. No really. All accounts. All computers. Yes, you're right, this might be overkill; on the other hand, it might not. You don't know either way, do you?
3. Check your other systems. Pay special attention to other Internet facing services, and to those that hold financial or other commercially sensitive data.
4. If the system holds anyone's personal data, make a full and frank disclosure to anyone potentially affected at once. I know this one is tough. I know this one is going to hurt. I know that many businesses want to sweep this kind of problem under the carpet but I'm afraid you're just going to have to deal with it. 

Still hesitating to take this last step? I understand, I do. Nevertheless, let me break this down for you Robert-style: 

In some places you might well have a legal requirement to inform the authorities and/or the victims of this kind of privacy breach. However annoyed your customers might be to have you tell them about a problem, they'll be far more annoyed if you don't tell them, and they only find out for themselves after someone charges $8,000 worth of goods using the credit card details they stole from your site.

Remember what I said in the previous section? The bad thing has already happened. The only question now is how well you deal with it.

Understand the problem fully:

1. Do NOT put the affected systems back online until this stage is fully complete, unless you want to be the person whose post was the tipping point for me actually deciding to write this article. I'm not linking to the post so that people can get a cheap laugh; I'm linking to warn you of the consequences of failing to follow this first step.
2. Examine the 'attacked' systems to understand how the attacks succeeded in compromising your security. Make every effort to find out where the attacks "came from", so that you understand what problems you have and need to address to make your system safe in the future.
3. Examine the 'attacked' systems again, this time to understand where the attacks went, so that you understand what systems were compromised in the attack. Ensure you follow up any pointers that suggest compromised systems could become a springboard to attack your systems further.
4. Ensure the "gateways" used in any and all attacks are fully understood, so that you may begin to close them properly. (e.g. if your systems were compromised by a SQL injection attack, then not only do you need to close the particular flawed line of code that they broke in by, you would want to audit all of your code to see if the same type of mistake was made elsewhere).
5. Understand that attacks might succeed because of more than one flaw. Often, attacks succeed not through finding one major bug in a system but by stringing together several issues (sometimes minor and trivial by themselves) to compromise a system. For example, using SQL injection attacks to send commands to a database server, discovering the website/application you're attacking is running in the context of an administrative user and using the rights of that account as a stepping-stone to compromise other parts of a system. Or as hackers like to call it: "another day in the office taking advantage of common mistakes people make".

Make a plan for recovery and to bring your website back online and stick to it:

Nobody wants to be offline for longer than they have to be. That's a given. If this website is a revenue generating mechanism then the pressure to bring it back online quickly will be intense. Even if the only thing at stake is your / your company's reputation, this is still going generate a lot of pressure to put things back up quickly.

However, don't give in to the temptation to go back online too quickly. Instead move with as fast as possible to understand what caused the problem and to solve it before you go back online or else you will almost certainly fall victim to an intrusion once again, and remember, "to get hacked once can be classed as misfortune; to get hacked again straight afterwards looks like carelessness" (with apologies to Oscar Wilde).

1. I'm assuming you've understood all the issues that led to the successful intrusion in the first place before you even start this section. I don't want to overstate the case but if you haven't done that first then you really do need to. Sorry.
2. Never pay blackmail / protection money. This is the sign of an easy mark and you don't want that phrase ever used to describe you.
3. Don't be tempted to put the same server(s) back online without a full rebuild. It should be far quicker to build a new box or "nuke the server from orbit and do a clean install" on the old hardware than it would be to audit every single corner of the old system to make sure it is clean before putting it back online again. If you disagree with that then you probably don't know what it really means to ensure a system is fully cleaned, or your website deployment procedures are an unholy mess. You presumably have backups and test deployments of your site that you can just use to build the live site, and if you don't then being hacked is not your biggest problem.
4. Be very careful about re-using data that was "live" on the system at the time of the hack. I won't say "never ever do it" because you'll just ignore me, but frankly I think you do need to consider the consequences of keeping data around when you know you cannot guarantee its integrity. Ideally, you should restore this from a backup made prior to the intrusion. If you cannot or will not do that, you should be very careful with that data because it's tainted. You should especially be aware of the consequences to others if this data belongs to customers or site visitors rather than directly to you.
5. Monitor the system(s) carefully. You should resolve to do this as an ongoing process in the future (more below) but you take extra pains to be vigilant during the period immediately following your site coming back online. The intruders will almost certainly be back, and if you can spot them trying to break in again you will certainly be able to see quickly if you really have closed all the holes they used before plus any they made for themselves, and you might gather useful information you can pass on to your local law enforcement.

Reducing the risk in the future.

The first thing you need to understand is that security is a process that you have to apply throughout the entire life-cycle of designing, deploying and maintaining an Internet-facing system, not something you can slap a few layers over your code afterwards like cheap paint. To be properly secure, a service and an application need to be designed from the start with this in mind as one of the major goals of the project. I realise that's boring and you've heard it all before and that I "just don't realise the pressure man" of getting your beta web2.0 (beta) service into beta status on the web, but the fact is that this keeps getting repeated because it was true the first time it was said and it hasn't yet become a lie.

You can't eliminate risk. You shouldn't even try to do that. What you should do however is to understand which security risks are important to you, and understand how to manage and reduce both the impact of the risk and the probability that the risk will occur (yes, that article again. There's a serious point in there you know).

What steps can you take to reduce the probability of an attack being successful?

For example:

1. Was the flaw that allowed people to break into your site a known bug in vendor code, for which a patch was available? If so, do you need to re-think your approach to how you patch applications on your Internet-facing servers?
2. Was the flaw that allowed people to break into your site an unknown bug in vendor code, for which a patch was not available? I most certainly do not advocate changing suppliers whenever something like this bites you because they all have their problems and you'll run out of platforms in a year at the most if you take this approach. However, if a system constantly lets you down then you should either migrate to something more robust or at the very least, re-architect your system so that vulnerable components stay wrapped up in cotton wool and as far away as possible from hostile eyes.
3. Was the flaw a bug in code developed by you (or a contractor working for you)? If so, do you need to re-think your approach to how you approve code for deployment to your live site? Could the bug have been caught with an improved test system, or with changes to your coding "standard" (for example, while technology is not a panacea, you can reduce the probability of a successful SQL injection attack by using well-documented coding techniques).
4. Was the flaw due to a problem with how the server or application software was deployed? If so, are you using automated procedures to build and deploy servers where possible? These are a great help in maintaining a consistent "baseline" state on all your servers, minimising the amount of custom work that has to be done on each one and hence hopefully minimising the opportunity for a mistake to be made. Same goes with code deployment - if you require something "special" to be done to deploy the latest version of your web app then try hard to automate it and ensure it always is done in a consistent manner.
5. Could the intrusion have been caught earlier with better monitoring of your systems? Of course, 24-hour monitoring or an "on call" system for your staff might not be cost effective, but there are companies out there who can monitor your web facing services for you and alert you in the event of a problem. You might decide you can't afford this or don't need it and that's just fine... just take it into consideration.
6. Use tools such as tripwire and nessus where appropriate - but don't just use them blindly because I said so. Take the time to learn how to use a few good security tools that are appropriate to your environment, keep these tools updated and use them on a regular basis.
7. Consider hiring security experts to 'audit' your website security on a regular basis. Again, you might decide you can't afford this or don't need it and that's just fine... just take it into consideration.

What steps can you take to reduce the consequences of a successful attack?

If you decide that the "risk" of the lower floor of your home flooding is high, but not high enough to warrant moving, you should at least move the irreplaceable family heirlooms upstairs. Right?

1. Can you reduce the amount of services directly exposed to the Internet? Can you maintain some kind of gap between your internal services and your Internet-facing services? This ensures that even if your external systems are compromised the chances of using this as a springboard to attack your internal systems are limited.
2. Are you storing information you don't need to store? Are you storing such information "online" when it could be archived somewhere else. There are two points to this part; the obvious one is that people cannot steal information from you that you don't have, and the second point is that the less you store, the less you need to maintain and code for, and so there are fewer chances for bugs to slip into your code or systems design.
   
3. Are you using "least access" principles for your web app? If users only need to read from a database, then make sure the account the web app uses to service this only has read access, don't allow it write access and certainly not system-level access.
4. If you're not very experienced at something and it is not central to your business, consider outsourcing it. In other words, if you run a small website talking about writing desktop application code and decide to start selling small desktop applications from the site then consider "outsourcing" your credit card order system to someone like Paypal.

... And finally

I've probably left out no end of stuff that others consider important, but the steps above should at least help you start sorting things out if you are unlucky enough to fall victim to hackers.

Above all: Don't panic. Think before you act. Act firmly once you've made a decision, and leave a comment below if you have something to add to my list of steps. Let's be careful out there.